Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55087

CVE-2025-55087: Eclipse ThreadX NetX Duo Buffer Overflow

CVE-2025-55087 is a buffer overflow vulnerability in Eclipse ThreadX NetX Duo SNMP addon affecting versions before 6.4.4. Attackers can exploit crafted SNMPv3 parameters to cause out-of-bound reads. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-55087 Overview

CVE-2025-55087 is an out-of-bounds read vulnerability in the Simple Network Management Protocol (SNMP) addon of Eclipse Foundation ThreadX NetX Duo. The flaw affects NetX Duo SNMP addon versions before 6.4.4. A remote attacker can trigger the issue by sending a crafted SNMPv3 packet with malformed security parameters. The vulnerability is tracked as [CWE-125: Out-of-bounds Read] and exposes embedded devices running ThreadX NetX Duo to information disclosure and potential denial-of-service conditions.

Critical Impact

Attackers can read memory contents outside intended buffer boundaries on embedded devices running NetX Duo SNMP, enabling information disclosure or process disruption without authentication.

Affected Products

  • Eclipse ThreadX NetX Duo SNMP addon versions before 6.4.4
  • Embedded and IoT devices using the ThreadX real-time operating system with the NetX Duo networking stack
  • Industrial control and edge devices that expose SNMPv3 services through NetX Duo

Discovery Timeline

  • 2025-10-17 - CVE-2025-55087 published to NVD
  • 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2025-55087

Vulnerability Analysis

The vulnerability resides in the SNMPv3 message parser inside the NetX Duo SNMP addon. When the parser processes the security parameters field of an SNMPv3 packet, it fails to fully validate length and offset values supplied by the requester. A crafted packet causes the parser to read past the end of the receive buffer. The out-of-bounds read can leak adjacent memory contents back to the attacker or cause unstable behavior in the SNMP agent task. Because ThreadX targets resource-constrained embedded devices, exposed memory can include cryptographic material, neighboring packet data, or task control structures. The condition is reachable over the network with no authentication, since SNMPv3 security parameter parsing occurs before credential validation completes.

Root Cause

The root cause is missing or insufficient bounds checking when the SNMPv3 user-based security model (USM) parameters are decoded. Fields such as msgAuthoritativeEngineID, msgUserName, msgAuthenticationParameters, and msgPrivacyParameters carry attacker-controlled lengths. The parser trusts these lengths without validating them against the actual remaining packet size. The fix in version 6.4.4 adds the necessary length validation against the packet bounds.

Attack Vector

An unauthenticated remote attacker sends a single malformed SNMPv3 packet to UDP port 161 on a device running a vulnerable NetX Duo SNMP agent. The packet contains crafted Abstract Syntax Notation One (ASN.1) length fields inside the SNMPv3 security parameters block. Parsing the malformed structure causes the agent to read beyond the allocated buffer. Detailed technical information is available in the GitHub Security Advisory GHSA-v474-mv4g-v8cx.

Detection Methods for CVE-2025-55087

Indicators of Compromise

  • Inbound SNMPv3 packets to UDP 161 containing oversized or inconsistent length fields in msgSecurityParameters
  • Repeated SNMP agent task crashes or watchdog resets on ThreadX-based devices
  • Unexpected SNMPv3 traffic originating from non-management network segments

Detection Strategies

  • Inspect SNMPv3 traffic with deep packet inspection rules that validate ASN.1 length fields against actual packet size
  • Alert on SNMPv3 requests where msgUserName or authentication parameter lengths exceed protocol norms
  • Correlate SNMP query bursts with device availability metrics to detect parsing failures

Monitoring Recommendations

  • Log all SNMPv3 sessions targeting embedded and IoT assets, including source IP and message size
  • Monitor syslog and device telemetry for SNMP agent restarts on ThreadX deployments
  • Track firmware versions of NetX Duo components across the asset inventory to confirm exposure

How to Mitigate CVE-2025-55087

Immediate Actions Required

  • Upgrade the NetX Duo SNMP addon to version 6.4.4 or later and rebuild affected firmware images
  • Restrict UDP 161 access to dedicated management subnets through network access control lists
  • Audit asset inventories for any device using Eclipse ThreadX NetX Duo with the SNMP addon enabled

Patch Information

Eclipse Foundation has released NetX Duo SNMP addon version 6.4.4 with proper bounds validation for SNMPv3 security parameter parsing. Refer to the Eclipse ThreadX NetX Duo Security Advisory for fixed commits and integration guidance. Device manufacturers must rebuild firmware against the patched addon and distribute updates to deployed units.

Workarounds

  • Disable the SNMP agent on devices where remote management over SNMP is not required
  • Block UDP 161 at the network perimeter and on internal segmentation firewalls for untrusted zones
  • Where SNMP is required, enforce source-IP allow lists limiting access to authorized network management stations
bash
# Configuration example - restrict SNMP access at the network edge
iptables -A INPUT -p udp --dport 161 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 161 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.